Web Application Security

Web application security refers to the protection of both browser endpoints, and the APIs they connect to, against attack from Magecart/formjacking-style attacks, malicious browser extensions, banking trojans, malvertisements, and other cyber security threats. When addressed properly—including JavaScript protection, threat detection and limiting API connections to known good sites, along with defensive measures that can shut down web app functionality in the event of an attack—effective web application security enables customers to detect and protect against active threats, protecting businesses and consumers from data breaches and financial losses.

Getting Ahead of Web App Security Threats

As web application technology evolves, robust security measures must follow suit. Threats to web app security are a reality and happening across the globe. Standard measures are no longer sufficient to protect against evolving threats. Fortunately, apps do not have to remain vulnerable, waiting to be exploited by bad actors. There are solid security measures and practices that can be employed to protect this ever-growing attack surface.

Web Applications Have Evolved—so Must Security

New attack vectors are constantly emerging as technology evolves. Now more than ever, comprehensive security tools are needed. Previously, device endpoint protection and network security were the ultimate in protective measures. Then came mobile and cloud technology, greatly minimizing network security efficacy and essentially blowing apart the perimeter-centric protection approach so heavily relied upon.

Fast-forward to today where a whole new approach to accessing back-office systems has evolved, opening up new business opportunities—legitimate and illegitimate ones. Organizations are now increasingly relying on application programming interfaces (APIs) to drive innovation, speed of development and provide new monetization opportunities. But, according to the Open Web Application Security Project (OWASP) API Security Top 10 2019 report, “By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this, APIs have increasingly become a target for attackers.” Moving important components to the client-side of applications (that is, outside the protection of traditional network security) creates a massive new attack surface, increasing the risk of attacks such as formjacking, Document Object Model (DOM) tampering, session abuse, overlay attacks, and API abuse.

Unfortunately, many organizations still believe a web application firewall (WAF) is all that’s needed to protect web apps from security threats. In reality, WAFs provide only a portion of the solution. Traditional security techniques such as WAFs are unable to stop today's web app attacks that, in many cases, originate at the browser outside the purview of network security. By the time they are triggered—if ever—the bad actor is long-gone with sensitive information and all that can be done is focus efforts on damage control.

As bad actors continue pushing boundaries in identifying new attack vectors, organizations must respond in kind to ensure critical assets and data are being properly and fully protected.

Web Application Security Risks Are Real and Happening Now

An estimated 95% of websites run on JavaScript and HTML5—languages that can easily be intercepted, viewed and compromised. This leaves web applications and APIs vulnerable to client-side attacks, especially when relying only on traditional perimeter security tools like a WAF. According to Symantec, more than 4,800 websites are compromised by formjacking every month. Client-side data exfiltration attacks are just one of the threat vectors web applications face, which is why a layered security approach is so important.

As seen with recent web-based application breaches at British Airways and Ticketmaster, even if a WAF was in place and properly configured, it would not have been able to prevent these browser/client-side breaches. Once the exploitations were discovered, hundreds of thousands of customer records had already been exfiltrated—too late to take any action.

Common Web App Vulnerabilities

According to OWASP, the top 10 most common application vulnerabilities include:

Injection. An injection happens when a bad actor sends invalid data to the web app to make it operate differently from the intended purpose of the application.

Broken Authentication. A broken authentication vulnerability allows a bad actor to gain control over an account within a system or the entire system.

Sensitive Data Exposure. Sensitive data exposure means data is vulnerable to being exploited by a bad actor when it should have been protected.

XML External Entities (XXE). A type of attack against an application that parses XML input and occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Broken Access Control. When components of a web application are accessible instead of being protected like they should be, leaving them vulnerable to data breaches.

Security Misconfigurations. Incorrectly misconfiguring a web application provides bad actors with an easy way in to exploit sensitive information.

Using Components with Known Vulnerabilities. Instances such as missed software and update change logs can serve as big tip-offs for bad actors looking for ins into a web application. Disregarding updates can allow a known vulnerability to survive within a system.

Insufficient Logging and Monitoring. Lack of efficient logging and monitoring processes increases the chances of a web app being compromised.

The majority of these vulnerabilities are out of the control of WAFs since WAFs are limited in their ability to stop malicious traffic that appears entirely legitimate.

Magecart is always working to exploit web app vulnerabilities

With bad actors such as Magecart—a loose collection of cyber criminal groups who target web apps to steal customer payment card information—working around-the-clock to exploit web app vulnerabilities, understanding the attack vectors driving these attacks and the steps necessary to stop them and protect web applications is critical.

Practical Solutions for Protecting Web Apps

Despite the fact that there are groups like Magecart doing everything possible to create new exploits and attacks to obtain sensitive information, web applications can be protected.

Flexible code protection, threat detection and data exfiltration prevention are all elements of a practical web security solution necessary to protect client-side apps, the web services they connect to and are included in Arxan for Web:

Passive Protection through a range of obfuscation techniques to protect ‘in the clear’ JavaScript/HTML5 code and APIs from being easily understood by attackers.

Active Protection to protect against browser data exfiltration with an in-app firewall by allowing the app or API to connect only with legitimate servers, and automatically responding with countermeasures when code analysis or tampering is detected by shutting down web app functionality or the entire browser.

Real-Time Threat Notification to alert the business if code, page tampering or analysis is attempted that can initiate an immediate operational response — such as shutting down attacker accounts or updating web code protection to counter an attack.

Web Application Protection from the Inside Out

An estimated 95% of websites run on JavaScript and HTML5, languages that can easily be intercepted, viewed and compromised. This leaves web applications and APIs vulnerable to client-side attacks, especially when relying only on traditional perimeter security tools like a WAF.